Splunk® Universal Forwarder

Forwarder Manual

Configure an intermediate forwarder

Intermediate forwarding is where a forwarder receives data from one or more forwarders and then sends that data on to another indexer. This kind of setup is useful when, for example, you have many hosts in different geographical regions and you want to send data from those forwarders to a central host in that region before forwarding the data to an indexer. All forwarder types can act as an intermediate forwarder.

Configure intermediate forwarding

Set up the intermediate forwarding tier

  1. Install the forwarder on your intermediate host.
  2. See Configure the forwarder to configure the intermediate forwarder to send data to a receiving indexer if you are using Splunk Enterprise. For Splunk Cloud, see Install and configure the Splunk Cloud Platform universal forwarder credentials package to set up credentials.
    1. If you install the forwarder on Windows, you can specify the receiving indexer during the installation process.
  3. Configure the intermediate forwarder to receive data. See Configure a receiver using a configuration file.
  4. (Optional) Configure any local data inputs on the intermediate forwarder. See Configure local data inputs.
  5. Restart the forwarder services.

You can repeat these steps to add more forwarders to the intermediate tier.

Configure forwarders to use the intermediate forwarding tier

  1. Install the universal forwarder.
  2. Configure the forwarder to send data to the intermediate forwarder. In this scenario, the intermediate forwarder acts as the receiver.
  3. Configure local data inputs on the forwarder.
  4. Restart the forwarder services.

Test the configuration

  1. In Splunk Web, log into your Splunk deployment.
  2. Open the Search and Reporting app.
  3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder

    host=<name or ip address of forwarder> index=_internal


    If you do not see events, then the host has not been configured properly. See Troubleshoot the universal forwarder for possible fixes.

See also

If you have access to the Edge Processor solution, you can use Edge Processors to fulfill many of the same requirements as an intermediate forwarder tier. For example, you can send data from multiple forwarders in different geographical regions to an Edge Processor that serves as a central host in a specific region, and then send data from that Edge Processor to an indexer. You can also use the Edge Processor to transform the data before routing it to an indexer. For more information, see About the Edge Processor solution in the Use Edge Processors manual.

Last modified on 22 March, 2024
Start or stop the universal forwarder   Configure forwarding with outputs.conf

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.3.1, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters